Tuesday, July 29, 2014

Back in April, we wrote about the French power company, EDF, being used as a universal phishing target in our article, Multi-Brand French Phisher uses EDF Group for ID Theft. Since that time we are seeing that those targeting French speaking victims are choosing yet another large utility to serve as proxy for all of the French banking world. This time the phishing lures are for SFR.

This phish has been especially popular this year. Malcovery's PhishIQ service has seen more than 1,000 SFR phish on more than 330 hacked servers so far this year, including dozens just in the month of July 2014. More importantly though, the attackers are growing more sophisticated! The attack described below is one of the most sophisticated phish we've seen to date, employing "man-in-the-middle" logins where SFR credentials are tested before the victim is allowed to proceed, and nearly a dozen customized bank security procedure questions being processed.

In a typical example of these phish, the victim receives an email that appears to be from SFR informing them that an error was made in their bill, "Ce mail vous a été envoyé dans le but de vous informer qu une erreur est survenue lors de l établissement de la dernière facture" and to "Cliquer ici pour ouvrir le formulaire de remboursement" (Click here to open the refund form). The victim is also warned that they need to fill out the form completely, or they won't get their refund (in some cases 95 Euros!):

While there are several versions of the SFR phish, the most sophisticated that we have encountered so far can be seen on a British horse enthusiasts website (obviously hacked).
What makes this one particularly compelling is that it begins by requiring the victim to be using their true SFR userid and password. On the originating screen, the user is told to "Connectez-vous" by entering his userid (Identifiant) and password (Mot de passe).

The Action of this form of the phishing site actually passes the userid and password to SFR and confirms whether or not a true identifier has been used. If false information is provided, the phishing victim receives a message back informing him that

So, with a little incentive to not lie to the criminal, and a fairly strong reason to believe they are really speaking with SFR, the victim continues to page two after providing true login credentials.

On the second page, the victim is invited to choose their bank from a long list of French banks. Depending on which bank they choose, they will be prompted for appropriate additional verification details used by that bank.
Banks on the list include:

AXA Banque

Banque AGF / Allianz

Banque de Savoie

Banque Dupuy de Parseval

Banque Marze

Banque Palatine

Banque Populaire

Banque Postale

Barclays

BforBank

Binck.fr

BNP

BNP Paribas La NET Agence

Boursorama Banque

BPE

Caisse d'Epargne

CIC

Coopabanque

Crédit Agricole

Crédit Cooperatif

Crédit du Nord

Crédit Mutuel

Crédit Mutuel de Bretagne

Crédit Mutuel Massif Central

Crédit Mutuel Sud-Ouest

e.LCL

Fortis Banque

Fortuneo Banque

Groupama Banque

HSBC

ING Direct

LCL

Monabanq

Societe Generale

Société Marseillaisle de Crédit

Autre Banque

Here are some examples: (Click on any image to enlarge)

Some banks require the visitor to enter their 3DSecure code

AXA Banque has a custom code for their clients

Banque Postale has security questions, such as:

Quel est le prénom de l'aîné(e) de vos cousins et cousines ?

Quel était le prénom de votre meilleur(e) ami(e) d'enfance ?

Quel était votre dessin animé préféré ?

Quel a été votre lieu de vacances préféré durant votre enfance ?

Caisse d'Epargne also provides a personalized Client code.

Even the "Cyberplus" electronic password generators used by Banque Populaire are included in this phish!

Some banks also require information about the victim's birthplace

After successfully acquiring both your SFR.com userid and password, and the necessary information to take over the bank account of the phishing victim, the criminal sends you on your way, after congratulating you on your success!

(The update was successful. SFR thanks you for using its Bank Assurance services. You can continue browsing the site with full security.)

After seeing this message briefly, the visitor is forwarded to the true www.SFR.fr website.

.PIF files are like those organs we are said to have for some reason that are not necessary in these modern times. If you still remember the pain of migrating from DOS 5.0 to Windows 3.0, you will remember that we had .PIF files because DOS binaries did not have all the niceties of Windows programs, such as embedded icons and a place to store the default start-up path. Back when Ugg the Caveman was discovering fire and Bill Gates was leading a development team, you could make your DOS Executables APPEAR to be Windows files by sticking a .PIF file of the same name in the same directory. Windows knew that it should associate the .PIF file with the .EXE or .COM file of the same name, and suddenly we had icons! Of course the malware authors have done some sneaky things with this in the past. When Sality was a young pup, browsing a directory that contained the ".pif" format of Sality was enough to get Windows to execute the malware -- because "Active Desktop" knew that if it saw a .PIF file, it should load it so it would know what graphical icon to associate with which programs in the directory listing. Unfortunately, that was all Sality needed to launch itself! So many people were victimized thinking that the AUTORUN=OFF on their thumb drive had failed without realizing it was just what .PIF files did back then.

So, this morning in the Malcovery Spam Data Mine we saw 1,440 copies of a spam message claiming to be from "orange.pl" with the subject "MMS-ie" and a 70,390 byte .zip file with a randomly numbered IMG#####.zip filename. The .ZIP file contained a 126,976 byte .PIF file that was named "IMG875002763.JPEG.pif" and had an MD5 hash of d382068a8666914584d0ae51dd162c6b. When I just checked the file a few minutes ago on VirusTotal, thinking I would see various Zeus-related malware names based on the SCMag / WebSense articles, I was surprised to see that the file was actually TinBa or "Tiny Banker"!

Late last week I was one of the many folks trying to get a friend to get me a copy of the Tinba source code that had been leaked, as Peter Kruse over at CSIS told us on July 10, 2014 (See Tinba/Hunterz source code published. Peter shared a talk The Hunterz Inside Tinba at the recent Cyber Threat Summit, and, with Trend Micro's Robert McArdle and Feike Hacquebord, released a paper called "W32.Tinba, The Turkish Incident" (a 24-page PDF that gives great insights into the malware family).

Tinba: The Polish Incident

If the earlier paper was called "The Turkish Incident", perhaps the current version should be called "The Polish Incident". Here is the email that was distributed so prolifically this morning:

In case you aren't as fluent in Polish as the rest of us, here is how Google Translate renders that:

If your phone does not support multimedia messages, you can send and receive using the Crates MMS or MMS Album. Simply log on www.orange.pl. For each received in an MMS message box will send you e-mail.
If the recipient of the message does not have MMS-capable phone will be able to pick it up by logging into the portal www.orange.pl, and then select Multi Box and MMS tab. Multimedia messages can also be sent to any e-mail.

The spam from Monday, July 14th, was Tinba spam according to VirusTotal. Late this evening (about 18 hours after the spam campaign) VirusTotal reported a (25 of 53) detection rate.

The spam from July 11th was also in Polish, and also imitated Orange, although this time the sender was Orange.com. There was a .zip file attached, which contained a file named "DKT_Faktura_indywidualna_2014_07_11_R.pdf.pif" which was 102,400 bytes in size and had an MD5 hash of da9330aa6d275ba28954b88ecf27dedb. The .zip file was 70,323 bytes with MD5 hash of fc1e0a665f99b347e424281a8a6a2526.
The spam from July 11th was also Tinba spam, according to many vendors at VirusTotal. But the email body was much simpler. The message, still in Polish, was:

Sunday, July 13, 2014

I spent some time yesterday in the Malcovery Security Spam Data Mine looking at the E-Z Pass malware campaign. The ASProx spammers behind that campaign have moved on to Court Notice again . . .

Subjects like these:

Hearing of your case in Court No#

Notice of appearance

Notice of appearance in court No#

Notice to Appear

Notice to Appear in Court

Notice to appear in court No#

Urgent court notice

Urgent court Notice No#

(All of the subjects that have "No#" are followed by a four digit integer.)

(click to enlarge)

As normal, the spammers for these "Court Appearance" spam campaigns have just grabbed an innocent law firm to imitate. No indication of any real problem at Green Winick, but I sure wish one or more of these abused law firms would step up and file a "John Doe" lawsuit against these spammers so we could get some civil discovery going on!

These are the same criminals who have Previously imitated other law firms including Jones Day (jonesday.com), Latham Watkins (lw.com), Hogan Lovells (hoganlovells.com), McDermitt, Will & Emery (wme.com), and many more! Come on! Let's go get these spammers and the malware authors that pay them!

We've seen 88 destination hosts between July 10th and this morning (list below) but it is likely there are many more!

When malware spammers use malicious links in their email instead of attachments, they tend to have a much better success rate if they deliver unique URLs for every recipient. That is what is happening in this case, and what always happens in these ASProx / Kuluoz spam campaigns. An encoded pseudo-directory is used in the path portion of the URL, which is combined with rotating through hundreds of 'pre-compromised' websites to host their malicious content.

Four patterns in the path portion of the URL are better indicators as we believe there will be MANY more destination hosts.

tmp/api/…STUFF…=/notice

components/api/…STUFF…=/notice

wp-content/api/…STUFF…=/notice

capitulo/components/api/…STUFF...=/notice

where "...STUFF..." is an encoding that we believe is related to the original recipient's email address, but have been unable to confirm at this time.

Extra credit points to Kaspersky and Norman for useful and accurate naming !

Kaspersky = Net-Worm.Win32.Aspxor.bpyb
Norman = Kuluoz.EP

Each of the 88 destination websites that we observed was likely compromised to host the malware. We do not believe these are necessarily "Bad Websites" but they either have a vulnerability or have had the webmaster credentials stolen by criminals.

If these are YOUR website - look for one of those directories I mentioned ...

Friday, July 11, 2014

Over on the Malcovery Security Blog yesterday we covered a new version of GameOver Zeus (see: GameOver Zeus Mutates, Launches Attack ) that was distributed in three spam campaigns on July 10, 2014. At the bottom of that blog post, we're sharing a detailed "T3 Report" by analysts Brendan Griffin and Wayne Snow that gives all the details. In our reporting yesterday we mentioned that the new bot is using a Fast Flux Command & Control structure and that it is using a Domain Generation Algorithm to allow the malware distributed in the spam to locate and connect to the Command & Control servers.

I wanted to geek that a bit deeper for those who want more details on both of those subjects. First, let's look at the Fast Flux.

Fast Flux Command & Controlled Botnet

Fast Flux is a technique that allows a criminal who controls many servers to obfuscate the true location of his server by building a tiered infrastructure.

Sometimes there are additional "tiers" or levels of misdirection. We don't yet know how many layers there are in this newGOZ botnet.

(click to enlarge)

Here's the flow . . .

the newGOZ criminal pays the Cutwail spammers to send out emails to infect new victims

the Cutwail spammer sends out his emails. On July 10th, they were "Essentra Past Due" and emails imitating M&T Bank and NatWest Bank

while many people delete the emails, ignore the emails, or have them blocked by spam, SOME people click on the emails

each domain is queried for. the Bot computers say "Hey, Internet! Does this domain exist?"

on July 10th, cfs50p1je5ljdfs3p7n17odtuw.biz existed ... "the Internet" said "Yes, this exists and NS1.ZAEHROMFUY.IN is the Nameserver that can tell you where it is."

When most nameservers tell the address of a computer, they give a "Time To Live" that says "The answer I'm giving you is probably good for 24 hours" or 2 days, or a week, or whatever. But the Nameserver used in a FastFlux Bot, like, NS1.ZAEHROMFUY.IN, usually gives a "Time To Live" answer that says "The answer I'm giving you is only good for about 5 minutes. After 5 minutes, you need to ask me again in case the address has changed."

NS1.ZAEHROMFUY.IN receives constant updates from "newGOZ Criminal" of servers all over the world (but mostly in Ukraine) that have been hacked. Almost every time you ask the nameserver "Where is the newGOZ domain?" it will give you a different answer.

the "FastFlux C&C" boxes are now running nginx proxy software that says "Whatever you ask me, I will ask the servers at the Evil Lair of newGOZ. Whatever the Evil Lair of newGOZ wants to say, I will pass back to you.

Updates from the Evil Lair get passed back THROUGH the FastFlux Proxy and give the newGOZ bots new malware or commands

All traffic to and from the newGOZ bot, whether it is the bot "checking in" or the criminal pushing an "update" goes through one of the proxies, which are constantly changing.

Fast Flux newGOZ resolutions

All of the servers (or workstations) in this table were used as Fast Flux C&C nodes last night by the newGOZ botnet. We'll keep tracking this with friends from ShadowServer, DissectCyber.com and others and sharing this information with our trusted partners, but I wanted to throw out this example. If you have ability to look at "Net Flow" for any of these computers, you may be able to help us locate "The Evil Lair of the newGOZ Criminal." (Which sounds like a lot more fun than just looking at packet dumps, doesn't it? Sorry, this isn't my job, it is my passion. Geeks have to convince themselves they are Fighting Evil or we would get bored. Since the first GOZ enabled the theft of $100 Million or so ( for more see as an example Crooks Seek Revival of GameOver Zeus Botnet where Brian even shares the FBI Wanted Poster of the guy who is thought to be behind Zeus.

Wednesday, July 09, 2014

The media is buzzing about the arrest of hacker and stolen credit card vendor Roman Seleznev who has appeared in court in the US territory of Guam after being arrested in the Maldives. We wrote about Seleznev as part of the RICO racketeering case against the owners and operators of the Carder.su website. (See The Carder.su indictment: United States v. Kilobit et. al.) but that was only the first part of Seleznev's trouble. Until this weekend, the original 27-page indictment against Seleznev in the Western District of Washington was under court seal.

In the Kilobit/Las Vegas indictment, the charges are that Seleznev did "Participate in a Racketeer Influenced Corrupt Organization [RICO]" and "Participated in a Conspiracy to Engage in a Racketeer Influenced Corrupt Organization."

The whole group are described in the indictment like this:

"The defendants herein, and others known and unknown, are members of, employed by, and associates of a criminal organization, hereafter referred to as "the Carder.su organization," whose members engage in acts of identity theft and financial fraud, including, but not limited to, acts involving trafficking in stolen means of identification; trafficking in, production and use of couterfeit identification documents; identity theft; trafficking in, production and use of unauthorized and counterfeit access devices; and bank fraud; and whose members interfere with interstate and foreign commerce through acts of identity theft and financial fraud. Members and associates of the Carder.su organization operate principally in Las Vegas, Nevada, and elsewhere.

The important thing to understand about RICO is that as PART OF THE CORRUPT ORGANIZATION all of the charged members are sentenced as if the whole group did all of the crimes.

What does that mean to Seleznev? In Las Vegas, Nevada, Seleznev is being charged with being part of a RICO group that is credited with directly causing, in actual measured and aggregated fraudulent transaction losses, $50,893,166.35!!

But before Vegas gets their hands on him, Seleznev will face charges in the Western District of Washington for Case # 2:11-cr-0070-RAJ-1.

This 27 page indictment, filed March 3, 2011, was just unsealed on July 6, 2014 when Seleznev appeared in court in Guam.

Washington charges that Seleznev "knowingly and willfully devised and executed and aided and abetted a scheme and artifice to defraud various financial institutions, including, but not limited to, Boeing Employees' Credit Union, Chase Bank, Capital One, Citibank, and Keybank, and to obtain moneys, funds, and credits under the custody and control of the banks by means of material false and fraudulent pretenses, representations and promises, as further described below."

Seleznev would:

hack into retail businesses,

install malicious computer code onto those hacked computers,

and use the malware to steal credit card numbers from the victim businesses' customers

thus allowing these cards and the associated accounts to be used for fraudulent purposes by the customers of his service.

Seleznev's malware primarily was controlled from a server named shmak.fvds.ru or smaus.fvds.ru at the IP address 188.120.225.66 which is housed in a data center in the Russian Federation of Irkutsk. (That IP-name mapping is confirmed by Internet Identity's historical Passive DNS systems in May 2010.) A collection of malware found at the root site of that website, including malware named shmak, shmak2, kameo, hameo, zameo, dtc, dtc2, dtc4, rsca, remcomsvc, and others. FVDS.RU is a "third level domain" system that is attractive to criminals wishing to host malware on dedicated hostnames, without having to have their ownership of the hostname tracked in WHOIS services or through credit card payments.

Bulba would advertise when he had new cards for sale, claiming as many as 17,000 "Fresh Dumps" (newly stolen and never before used for fraud) cards and offering guarantees, including free card replacement for cards that were declined. Seleznev/Bulba had such high quality, that the owners of the popular crdsu.su and carder.biz allowed Seleznev and others to assume Monopoly status as the preferred card vendors for their boards, which were extremely prevalent in the underground.

According to the newly unsealed indictment, Seleznev personally stole (through his malware) more than 200,000 cards, and succesfully sold over 140,000 of those cards through his websites bulba.cc and Track2.name between November 15, 2010 and February 22, 2011, generating direct illicit profits in excess of $2,000,000 USD.

Just the cards stolen by Seleznev at the Broadway Grill have been associated with $79,317 in fraudulent charges, and all of the cards stolen by Seleznev are responsible for actual fraud charges of at least $1,175,217.37.

November 15-16, 2010, $83,490 in charges were made against Boeing Employees Credit Union cards.

Jan 31-Feb 1, 2011, $30,716 in charges against BECU.

Seleznev will have a hearing in Guam on July 22, and then be transferred to the Seattle courts.

Seleznev Diplomatic Spat with Russia?

The story is growing into an international diplomatic spat as a Russian politician and member of the Duma, Valery Seleznev, is the father of the cyber criminal. In a statement from the Russian Foreign Ministry, the Russians accuse Maldives of ignoring their Bilateral Treaty of 1999 on Mutual Assistance in Criminal Matters. The statement says this is the third recent case of a similar situation, citing the examples of Viktor Bout and K.V. Yaroshenko as other recent cases where the US has forcibly taken a Russian citizen from a third country to stand trial in the United States. I strongly agree with the statement at the close of their statement, where they "strongly encourage our countryment to pay attention to the cautions posted by the Russian Foreign Ministry on their website about the risks associated with foreign travel, if there is a suspicion that U.S. law enforcement agencies can charge them with any crime."

Who are these others who are mentioned? Viktor Bout (Виктор Анатольевич Бут) was arrested in Thailand in 2008 and extradited in 2010 to stand trial for terrorism charges for delivering anti-aircraft missiles to FARC in Colombia. He was convicted by a jury in Manhattan (More from The Guardian) Konstantin Yaroshenko was arrested in May 2010 in Liberia as a cocaine smuggler pilot when he landed his plane in Monrovia, Liberia and was arrested by the DEA as he tried to negotiate a contract for $4.5 million to deliver 5 tons of cocaine from Colombia to West Africa. Yaroshenko was knowingly working with smugglers who were raising funds for the Colombian terror group FARC. (See Superseding Indictment

At Malcovery Security, we've been tracking the ASProx botnet for some time. Most of these IP addresses were already known to belong to the ASProx botnet for some time. This is the same botnet that sent the Holiday Delivery Failure spam imitating Walmart, CostCo, and BestBuy over the holidays and that send the Court Related Malware through the early months of 2014.

Thanks to some updates from new friends on Twitter, we wanted to give an update on what we are seeing in the Malcovery Spam Data Mine. Because every advertised URL is unique, we have taken the approach of replacing the "unique stuff" with "...STUFF..." in the URLs below. The important part is that we realize that anything that you see in your logs that includes either "tmp/api" or "wp-content/api" or "components/api" and then some "STUFF" and then "=/toll" is going to be one of these URLs that is part of the current E-Z Pass spam, which began on July 8th and is still continuing here on July 12th. If you have access to Very Large Logs, we'd love to get YOUR URLs of this pattern to see if we can help webmasters identify and shut this stuff down. Note the alphabetical progression through compromised domain names? These are sorted by timestamp, not by domain name. It just so happens those are the same thing. We believe the criminals have a very large list of pre-compromised domains that they can use at will. Possibly these are just harvested passwords from other malware campaigns.

This malware is the ASProx malware. If anyone has more details on the "what happens next?" part of the malware, please do share. What we have observed and been told is that infected machines are primarily used for advertising click-fraud, but happy to learn more about those aspects and share what we learn.

Sometimes I am so impressed by the things my employees at Malcovery discover as they work through the various email-based threats we process and report about for our customers. Brendan, Wayne, and J evaluate and document hundreds of malware threats each week from our Spam Data Mine and because of their daily interactions with so much malware notice patterns that others miss. I've been asking them to be especially mindful of what the Cutwail spammers are moving to next as the GameOver Zeus era moves to a close, and Brendan did a great job of covering that over on the Malcovery Blog in the article How Spammers Are Filling the Gameover Zeus Void.

June 16 - Disk57.com first sighted

On June 16, 2014, Brendan and the team noticed three malware campaigns distribution spam campaigns that were all pushing the same malware. The email subjects were:

Subject: USPS - Missed package delivery
Subject: You have received a new fax
Subject: Scanned Image from a Xerox WorkCentre

By a week later, the detection rate was up to 38 of 46 AV products detecting this as malware, but at the time of the spam campaign, only Sophos and K7 had signature-based detection for the malware, though some vendors may have offered other types of protection.

Whichever of the three versions you downloaded, the SCR file was actually a PE-executable which would contact the site "disk57.com" in order to "check in" by hitting the file "gate.php" on that server. The Ukrainian server in question, 188.190.117.93, (AS197145, Kharkiv Infium LLC) had been seen previously communicating with malware on March 26 and March 27 using the domain name "malidini.com".

The registry was modified so that a copy of the .scr file (now named as an .exe) would be executed on the next start up due to a Policy statement located in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\818107311"

This resulted in the downloaded of a 7200 byte ".mod" file

More Disk57.com sightings

Disk57.com was also used as part of the malware infrastructure for malware samples distributed by the following spam campaigns:

June 16 - Wells Fargo
June 17 - USPS
June 18 - HSBC
June 18 - Xerox
June 18 - New Fax
June 30 - HSBC - Subject: Avis de Paiement
June 30 - New Fax - Subject: You have received a new fax message
June 30 - Scanned Document - Subject: Scan de
July 1 - BanquePopulaire
July 1 - French government
July 3 - Xerox
July 3 - UPS
July 3 - Wells Fargo

On June 30th, we saw the same technique used as in the June 16th campaigns. Three different .zip files, each containing a .scr file that was named differently, but where all samples had the same MD5 hash (MD5: 66dcf2e32aa902e2ffd4c06f5cb23b43 - VirusTotal detection 11/54 at report time.)

As on June 16th, executing the .scr file resulted in an exchange with the "gate.php" file on disk57.com on 188.190.117.93, resulting in a 7200 byte ".mod" file being downloaded.

On June 30th, however, this exchange resulted in a copy of the Cutwail binary, b02.exe, being downloaded from jasongraber.com on the path /css/b02.exe. (IP 192.64.181.14). b02.exe had a file size of 41,472 bytes - MD5: 84822121b11cce3c8a75f27c1493c6bb with a VirusTotal report of 2/54 at report time.

Upatre Updated

On July 3rd, spam campaigns imitating Xerox, UPS, and Wells Fargo used this same technique again with email subjects:

Subject: Scan from a Xerox WorkCentre - seen 1209 times by Malcovery
Subject: New Fax: # pages - seen 288 times by Malcovery
Subject: IMPORTANT - Confidential documents - seen 88 times by Malcovery
Subject: UPS - Credit Card Billing Adjustment. Ref#(random) - seen 178 times by Malcovery

1,941 messages were sent to our Spam Data Mine from 1,037 different sending IP addresses.

The .zip files still contained .scr files that were all the same
file size (23,040 bytes) MD5: 870c63c4420b6f187066a94ef6c56dc6 - VirusTotal report: 1/53 at report time.

However this time there were three very different URLs downloaded as a result of the initial click. The downloaded malware behaved almost exactly like the UPATRE samples that were used to distribute the encrypted version of GameOver Zeus that we wrote about back in February. (See: GameOver Zeus Now Uses Encryption to Bypass Perimeter Security.)

UPATRE Update

The UPATRE malware that was signature detected only by Sophos (as the useful name Mal/Generic-S) on July 3rd now has 43 detections at VirusTotal, although most are crap as usual, with regards to the usefulness of the names chosen by the vendors. Zbot.LDQ, Trojan/Win32.Zbot (but it clearly isn't Zeus, it's just a tiny downloader, which is what several vendors call it (Trojan.Win32.Tiny.bNKP). Several other vendors call it Ransomware or Crypto something or another (Trojan-Ransom.Win32.Cryptodef.oq, Win32/Ransom.ABOQAMB, TROJ_CRYPWALL.JER, Trojan.Win32.A.Cryptodef.23040). Only Microsoft called it Upatre (TrojanDownloader:Win32/Upatre.AA) although that is clearly the consensus of the AV analysts we have discussed the sample with. In this case the job of UPATRE is to download files that CLAIM to be PDF files, "convert/unpack/decrypt" them into .exe files, and then launch those .EXE files.

Three touches to the OVH (AS16276) IP address 94.23.247.202 resulted in three files so-called PDF files being downloaded from repele.net on IP address 82.220.34.132, each with the name "css/agreement.pdf". UPATRE did its magic, converting each of these files into another binary executable:

After encrypting files, the victim is shown the following text, with a timer counting down from 168 hours:

Your files are encrypted.
To get the key to decrypt the files you have to pay 750 USD/EUR. If payment is not made before 10/07/14 - 15:37 the cost of decrypting files will increase 2 times and will be 1500 USD/EUR

(Other files found in that subdirectory included, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.TXT, and DECRYPT_INSTRUCTION.URL.)

What to do?

First and foremost, we need to get rid of Cutwail. This will be difficult as Russia continues to harbor their cyber criminals, allow them to bribe themselves out of prison and into government offices and contracts, and seems to treat their rampant theft of American and European wealth as a form of Economic Development.

In the meantime, we need to begin smashing their infrastructure at every chance we can get. Seize the hardware if we can, disable the routing of the traffic if we can't, and DEFINITELY block that infrastructure within our homes and companies!

Do yourself and your company a favor by sharing a link to this blog and recommending that your IT Security staff block the addresses shared above. If you live in a country where you can help, please do so!